[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: password-hashing scheme
On Friday 01 February 2008 17:18:28 Vinh.CTR.Hoang@faa.gov wrote:
> Hi, I'm have trouble trying to get a ldap client be authenicated by the
> the ldap server. I think
> the problem is that I might have the hash scheme configured wrongly or
> something like that.
> I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear"
> in the ldap.conf
Which ldap.conf? Solaris doesn't have an ldap.conf by default, so is this
nss_ldap or PADL's pam_ldap's ldap.conf, or is this OpenLDAP's ldap.conf.
> and
> password-hash as {MD5} in slapd.conf.
Both of these settings only apply to password changes (assuming ldap.conf is
pam_ldap's ldap.conf). This is covered in the documentation for each piece of
software.
> Am I safe to assume that with these
> settings, it
> means that the client will be sent the passwords over the server as clear
> text and the server
> will hash it to MD5 before checking against its stored password list?
In the case of a simple bind, the password is always sent in the clear. The
password will typically be validated against the contents of the userPassword
attribute for the DN in question, using the password scheme identifier that
precedes that password hash. As such, the password hash type typically can't
be configured incorrectly, as it is stored with the password hash ...
> If
> it is not the case, then how
> should I configure the client and server to be the case?
Regards,
Buchan